Mum's the Word: Feds Are Serious About Protecting Patients' Privacy

The temptation to snoop through celebrities' medical records was too much for a UCLA School of Medicine researcher, and it landed him in jail for four months.

In April, Huping Zhou, MD, a cardiothoracic surgeon licensed in China, became the first person to go to jail for violating Health Insurance Portability and Accountability Act (HIPAA) security provisions. Dr. Zhou pleaded guilty to four misdemeanor counts and admitted to accessing UCLA patient records - most of them belonging to celebrities - 323 times over three weeks.

According to news reports, Dr. Zhou, 48, viewed the medical records after being terminated from his job at UCLA. Prosecutors say he didn't attempt to sell or improperly use any of the protected health information (PHI) he accessed illegally.

He originally faced four years in prison but decided to plead guilty to "obtaining individually identifiable health information without a valid reason, medical or otherwise" before his trial began.

The case illustrates how the federal government has upped the ante for violating patient privacy provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act significantly changes HIPAA privacy and security policies that affect physicians. Chief among them, according to Deborah C. Hiser, JD, are the new breach notification regulations, developed by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

The Texas Medical Association has developed resources, in conjunction with Ms. Hiser and Ana Cowan, JD, with the law firm of Brown McCarroll LLP, to help physicians comply with the new HIPAA regulations. Both attorneys focus on health care regulatory and compliance matters. (See "TMA Helps Doctors Comply With New HIPAA Regulations.")

Last August, HHS issued an interim final rule [PDF] that applies to health care professionals, health plans, and other entities covered by HIPAA. The new regulations require physicians to have systems to detect breaches of patients' private information and to notify them when a breach occurs.

HHS defines a breach as "an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of the protected health information" and poses a significant risk of "financial, reputational, or other harm" to the patient.

Ms. Hiser says physicians should check the OCR website for updates on when the breach notification rule becomes final and for other HIPAA regulations.

But, she warns, the federal government isn't waiting to enforce the law.

"Physicians can't wait on the final regulations to comply," Ms. Hiser said. "HITECH requires them to keep track of any security incidents, such as attempts to access the patient record system, regardless of whether they are successful. Physicians have to submit logs of all breaches of unsecured PHI to the federal government."

In addition to the new breach notification requirements, Ms. Hiser says changes to HIPAA privacy and security policies that affect medical practices include:

All business associates, such as billing companies, are now subject to the same privacy and security rules and penalties as physicians; and

State attorneys general can now sue on behalf of a state's residents for matters involving HIPAA violations.

Ms. Hiser says that if a state attorney general sues a physician and collects damages, or if the federal government imposes penalties on a physician, patients whose protected information is breached are entitled to a portion of the money.

"This could be significant in states that have tort reform like Texas, where attorneys may see an opportunity to work with patients in filing complaints with attorneys general or the federal government on cases involving HIPAA privacy and security violations," Ms. Hiser said.

Ms. Hiser says physicians would be smart not only to have a system to detect PHI breaches but also to encrypt the information to make it unusable and unreadable by unauthorized individuals. The reason: Physicians and business associates must only provide the required notification if the breach involves unsecured PHI .

HHS defines unsecured PHI as not having been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS secretary. Therefore, if the information has been encrypted or destroyed, the unauthorized individual who accesses it won't be able to use, read, or decipher it.

Ms. Hiser explains that while the HITECH Act doesn't mandate encryption and destruction of PHI, it's a good idea to do so. HHS and the Federal Trade Commission recommend encrypting electronic records and destroying paper records as appropriate as ways to make PHI indecipherable. HHS posted information on ways to render unsecured PHI unusable, unreadable, or indecipherable on its website .

Deborah Peel, MD, an Austin psychiatrist and founder of Patient Privacy Rights, encourages physicians to do their homework before buying an electronic medical record (EMR) system. She says they need to make sure the systems allow them to segment and encrypt sensitive patient data.

Physicians also need to be careful that their EMR vendors don't sell their patients' PHI. To strengthen the confidentiality of patients' PHI, Dr. Peel says, physicians should read their vendor contracts carefully.

"In many of the EMR systems, the vendor reserves the right to own or use and sell the data," she says. "Unless physicians carefully read the vendor contract, they may not know patient data is sold and could be giving their patients false assurances that their records are private."

The HITECH Act generally prohibits selling PHI without authorization, including PHI in electronic format. HHS must issue regulations on that piece of the law before Aug. 27. Regulations will take effect six months later.

Assess Risk and Notify

Once a breach occurs, a physician must determine if it harms the patient. For example, Ms. Hiser says, unauthorized access to Social Security numbers and dates of birth could result in identity theft. Disclosing that a patient is infected with HIV could harm the patient's reputation and jeopardize his or her employment.

When the physician determines the patient is at risk, he or she must promptly inform the patient. In addition, physicians must notify the HHS secretary and the news media if the breach involves more than 500 individuals' protected information. Physicians can submit breach notifications to HHS online .

The HHS requires notice without unreasonable delay and no later than 60 days after the breach is discovered.

A quick scan of the website reveals that many of the breaches are due to theft of a portable electronic device, network server, desktop computer, or laptop computer. Other methods of breach include improper disposal of paper medical records, theft of paper medical records, unauthorized e-mail access, a hacked networker server, theft of CDs, theft of backup tapes, unauthorized access to paper records, misdirected email, and email phishing scams.

For breaches that affect fewer than 500 individuals, a physician must provide the HHS secretary with notice annually. According to HHS, all notifications of breaches occurring in a year must be submitted within 60 days of the end of the year.

To comply with the new regulations, Ms. Hiser says physicians need to develop written HITECH policies and procedures, including one for breach notification.

"Don't wait until an enforcement action has been initiated against you because it will be more difficult to defend yourself if you do not have existing policies and procedures," she says.

Under the new regulations, physicians and business associates must demonstrate that all required notifications have been made, or that a use or disclosure of unsecured PHI didn't constitute a breach.

"Physicians need to train their employees on the HITECH Act requirements and talk with their information technology consultants to make sure their systems can encrypt PHI and detect breaches," she said.

She also recommends physicians incorporate the new HITECH privacy and security provisions into their existing business associate agreements.

The new HIPAA security provisions require physicians' business associates, such as billing companies, EMR vendors, or information technology consultants, to notify them of breaches on their part. Failure to comply with the reporting requirements may subject business associates to civil and criminal penalties under HIPAA.

"In the past, HIPAA required a doctor to either terminate the contract with the vendor, or if termination were not feasible, notify the federal government if the vendor breached patients' PHI," Ms. Hiser said.

She adds that under HITECH, when physicians enter into business associate agreements, they now have to decide whether to require the associate to notify the physician so the physician can notify patients who may be harmed by the breach, or whether to require the business associate to notify those patients directly.

Also, physicians must include language in the agreements about the role of the business associate with respect to the physician's risk assessment.

Business associate agreements should summarize the requirements that physicians and associates must comply with under HIPAA and HITECH regulations. TMA's Policy and Procedure Manual will contain a business associate agreement template that can be tailored to a physician's practice. TMA anticipates release of the updated Policy and Procedure Manual in early 2011. Look for information about the manual on TMA's website and in the Action newsletter.

Crystal Conde can be reached at (800) 880-1300, ext. 1385, or (512) 370-1385; by fax at (512) 370-1629; or by e-mail at Crystal Conde.

SIDEBAR

HITECH Act Increases HIPAA Violation Penalties

The Health Information Technology for Economic and Clinical Health (HITECH) Act imposes heightened enforcement, increased penalties, and audits. The level of intent and neglect - whether the violation occurs without knowledge, due to reasonable cause, or due to willful neglect - is the basis for the civil penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA).

For violations made without knowledge, penalties start at $100 per violation. For violations based on reasonable cause, penalties start at $1,000 per violation. Penalties for violations due to willful neglect start at $10,000 per violation.

Penalties start at $50,000 per violation for violations due to willful neglect that are not corrected within 30 days. The HITECH Act specifically allows the Office for Civil Rights (OCR) to continue to use corrective action without a penalty, but only in instances of violation without knowledge.

The HITECH Act clarifies that criminal penalties may apply directly to an individual or employee of a covered entity.

According to HHS, any penalty payments collected will be used to support the enforcement activities of the OCR. Further, state attorneys general enforce the HIPAA rules on behalf of their residents, and the U.S. Department of Health & Human Services must conduct periodic audits of covered entities and business associates to ensure HIPAA compliance. Most penalty provisions became effective Feb. 17, 2009.

TMA Helps Doctors Comply With New HIPAA Regulations

The Texas Medical Association has resources to help physicians comply with the new Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations. TMA is offering a webinar on HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, presented by Deborah C. Hiser, JD, an expert in health care regulatory and compliance matters with the Austin office of Brown McCarroll LLP.

The risk management seminar will guide physicians on preparing and implementing policies to comply with new HIPAA and HITECH regulations.

The recorded webinar should be available online by mid-August and continue through December 2013. For more information, contact the TMA Knowledge Center at (800) 880-7955, or visit the Distance Learning Center online .

TMA designates each educational activity for a maximum of 1 AMA PRA Category 1 Credit ™. Each activity has been designated as 1 hour of ethics and/or professional responsibility education.

In addition, TMA is updating its Policy and Procedure Manual . Here's a sample of the guidance available to physicians:

Training staff on the HITECH Act requirements;

Creating a business associate agreement that incorporates the new provisions into existing contracts;

Developing a breach notification and procedure policy, as well as a security policy;

A business associate agreement template that can be tailored; and

A sample breach notification letter that can be sent to patients whose protected health information has been breached.

TMA anticipates release of the updated Policy and Procedure Manual in early 2011. Look for information about the manual on TMA's website and in the Action newsletter.